{"data":{"id":"7866b0d0-f437-4549-89d9-8f6685452a43","title":"GHSA-rh7v-6w34-w2rr: Flowise: File Upload Validation Bypass in createAttachment","summary":"FlowiseAI has a file upload validation bypass vulnerability in its Chatflow configuration where attackers can modify settings to allow the application/javascript MIME type (a file format label), enabling them to upload malicious .js (JavaScript) files even though the interface normally blocks them. These uploaded files can become persistent web shells (programs that let attackers run commands on the server), potentially leading to RCE (remote code execution, where an attacker can run arbitrary commands on the system).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-rh7v-6w34-w2rr","publishedAt":"2026-04-16T21:49:28.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["flowise@<= 3.0.13 (fixed: 3.1.0)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["FlowiseAI","Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-16T21:49:28.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}